Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
02/08/2024, 06:51
General
-
Target
88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe
-
Size
1.1MB
-
MD5
400f693c2c8abb895b25e5fb410dd022
-
SHA1
bca9d595d5559c953b15985cfba5b2fc84b6467d
-
SHA256
88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39
-
SHA512
9ba0ac473594e43b1e2f493566201801d8849945e079b9b552f37fefbf9424e399a7f415212df2206c26548d30a58a601b47431235a5690631a97d03aab617dc
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QE:CcaClSFlG4ZM7QzMj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe"C:\Users\Admin\AppData\Local\Temp\88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD5cc615a03c0c33f72cab0bc9df2a1c1ec
SHA1ab67acc1a0c36c8082f761f5139a9586c62fbdab
SHA25692a66c11187e5b6fd10d3d78f42d6ac01056850ce856e26fcda748c1e36eea45
SHA5123f929dcddd2933a5cd105c48e6735d54bb6f9ca10e961de6d76142b92f5e2af1c1ae8f2ae759c2aea4f5fe2f0735044e8036d05a3c14e8c6c1bc7dc07a7fbcfe
-
Filesize
1.1MB
MD5af81bc53ee17a7d9bda879d1f7a0caec
SHA130bb0c33dfad2637ab257f32bf3173eda37d32f8
SHA2563e7c045ce0592296b6f564b6e52bf736f2087ed2f21b1273679325fdd20cac2a
SHA51273846b95e09c6372a0c5aefca59fdce48e4b4f60fe7ac3df959101fad7a876d8fe7686f07418b7f4ddd31785c83bbe296bc1a2dd7e436e177a64ef806b4d9f3b
-
Filesize
1.3MB